package jdbc;

import java.sql.*;

/**
 * 预编译SQL
 * 预编译SQL允许我们使用“？”对SQL的“值”进行站位，这样可以将语义定死，避免出现SQL注入问题
 */
public class Demo8 {
    public static void main(String[] args) {
        try (Connection connection = DBUtil.getConnection()) {
            String sql = "SELECT id,username,password,nickname,age " +
                         "FROM user " +
                         "WHERE username=? AND password=? ";
            //先将SQL语句发送给数据库
            PreparedStatement ps = connection.prepareStatement(sql);
            //通过PreparedStatement将预编译SQL中的"?"来指定对应的值
            ps.setString(1,"范传奇");
            ps.setString(2,"123456");
            ps.setString(2,"a' OR '1'='1");
            ResultSet rs = ps.executeQuery();
            if (rs.next()) {
                System.out.println("登陆成功");
            } else {
                System.out.println("登录失败");
            }
        } catch (SQLException e) {
            e.getStackTrace();
        }

    }
}
